Share this article on:
A high-profile run of privacy and data breaches in Australia has individuals once again questioning the amount and nature of data being collected about them.
The string of incidents has both resurfaced and reinvigorated the conversation about online privacy. Privacy means being free from observation and nowhere is this more important than the internet, where we must rely upon others to carry our traffic.
The internet is an unprecedented venue for connecting with others, transacting business, learning, and expressing ourselves.
However, some of the fundamental mechanics of the web lend themselves to surveillance technologies that track our behaviour, interests, and even personal relationships without our consent.
Research by Deloitte Australia shows the “majority of brands appear to conduct some form of online tracking and monitoring, even though the majority of consumers are uncomfortable with this”.
The same survey found “only 2 per cent of brands are disclosing potential data sharing, online tracking, or other specific uses of data during the customer experience at sign-up, outside of the privacy policy.”
There is a general trend towards giving internet users more power to decide how much of their traffic is being observed by third parties. Likewise, there are efforts to make more systems, applications, and other points of user interaction privacy-preserving by design.
It’s worth putting a spotlight on some of the work underway now to innovate and enhance the web’s privacy standard.
Protecting user metadata on the internet
Part of making the internet as good as it can be is ensuring that all users have control over who sees their information when they use the internet.
Today, it’s harder than ever for users to preserve their privacy with modern communications tools, but that reality only heightens the urgency of this work. Effectively, the entire internet has to be upgraded to be both more secure and easier for everyone to use securely.
One area of work to highlight is that both major mobile platforms, iOS and Android, have crucial internet privacy protection: Apple iCloud Private Relay is part of Apple’s platform, and INVISV is available for Android devices. These are also examples powered by Fastly’s global privacy proxy infrastructure.
Apple, and tens of millions of iCloud customers, now rely on Private Relay every day. To put this power into more people’s hands, the focus needed to shift to effectively replicating it for Android.
In order to connect to the internet, devices use IP addresses. All communications contain both your IP address and either the name or the IP address of the site you are visiting. However, these identifiers are nakedly visible to many entities in the network, such as your network provider, the site you are connecting to, and any third-party sites that are embedded in the site you are visiting. This allows the network operator, the primary site, and the third-party sites to know both your identity and the sites you are visiting, which has fuelled a booming data broker industry.
Relay services provide users with privacy protection as they use their mobile devices to access the internet, making it so that the nakedly visible information above is effectively not available to anyone besides the user. The underlying technology makes it impossible for anyone to independently know this private information.
Limiting what websites ‘need to know’
Another important development is of an authorisation protocol known as Private Access Tokens (PATs).
Internet users frequently encounter CAPTCHAs in their travels – tests that ask you to prove you’re a human. They are widely used to protect checkout flows, login pages, and other sensitive forms from automated abuse.
But there are problems with the model. CAPTCHA (and other bot mitigation) vendors gather browser data to make their human versus bot classification decisions, but don’t usually share what data they gather or how they use it, since it’s part of their secret sauce. They can also be bypassed by CAPTCHA-farming services, where low-wage humans solve the puzzles, and be a friction point in the online experience. Not every user passes a CAPTCHA test on their first attempt.
PATs address the fundamental problem with CAPTCHA and other bot mitigation techniques available today, which treat all traffic as suspicious and rely on user action and browser data to assess risk.
They use careful application of cryptography and requirements to guarantee that a website learns only exactly what it needs to know about a user in order to provide access to a resource. Human interaction is not required and there is no leakage of non-essential data.
The main limitation to PATs today is related to their novelty. Currently, only Apple devices running iOS 16 or MacOS Ventura (currently in beta) support PAT challenges. Until the ecosystem ramps up, a fallback system will still be needed. However, given the obvious benefit of this protocol and the enthusiasm in the space already, it appears to be only a matter of time until other big-name device, browser, and OS vendors begin supporting PATs.
Relay services and PATs are but two initiatives underway that will help preserve privacy on the internet. They get us all closer to the internet we all want – one that supports privacy while remaining fast and responsive.
Guy Brown is a senior security strategist at Fastly.